Network IPS Buyer's Guide: Sourcefire - Page 2

Pulling it all together

Ultimately, potential threats detected by 3D Sensors must be analyzed and presented to administrators - this job falls to Sourcefire's Defense Center. This management console serves as Sourcefire's dashboard, using drag-and-drop widgets to deliver information appropriate for each installation and administrator. Defense Center is also responsible for aggregating and analyzing Sensor-generated events, applying configurable policies to generated customizable alerts and reports.

A single DC500 can manage three 3D Sensors and store 2.5 million events, while a single DC3000 can manage 100 3D Sensors and store up to 100 million events. In addition, Sourcefire offers a manager-of-managers capability for large or highly distributed enterprises. "You can take one of our DCs and convert it to a master DC to control up to 10 subordinate DCs," explained Wright. "This gives us the largest scalability in the industry, using several hundred DCs, all rolled up through a master DC for centralized monitoring and defense."

In addition, each DC provides interfaces that enable integration with an enterprise's security eco-system. First, a Remediation API can be used to trigger changes on firewalls, routers, vulnerability scanners, or patch managers. Second, an eStreamer interface can be used to relay security, compliance, and sensor health events to SIEMs, log managers, or third-party network managers. Finally, Sourcefire's Host Input API can pump "endpoint intelligence" into its host database - for example, adding input supplied by Qualys. These hooks help Sourcefire work in tandem with other security systems, breaking down barriers that can otherwise reduce organizational efficiency.

Evolving to battle contemporary threats

According to Wright, Sourcefire's "next generation IPS" takes a different approach than yesterday's traditional NIPS. "It's a more dangerous world out there. Today, we see more organized, sophisticated attacks. Organized crime now generates income from hacking endeavors by leveraging very smart people to create very targeted threats using multiple vectors, including web pages, email, social networks, and even people to attack organizations. As a result, you need more sophisticated IPS technology," he said.

"We're working with customers that have smart people in their security teams," said Wright. "They don't want to just trust that vendors are doing the right thing inside a static black box. They want to understand why we're blocking what we're blocking. They want to write their own signatures and to be able to integrate IPS with other technologies." Rules can also be adapted to address advanced persistent threats that might be aimed at your organization but not seen by the larger Snort community.

Furthermore, Wright argues that old-school IPS rule sets just look at packets, but may lack context. "We also look at devices and users - that is, what am I protecting? Without awareness of what's on the network, it's difficult to make intelligent decisions about traffic. With our Real-Time Network Awareness (RNA) and Real-Time User Awareness (RUA) products, we can add this kind of intelligence to NIPS.

In addition, Sourcefire now offers automated IPS tuning. "Adjusting policies on a daily basis has become quite a burden for large enterprises. We've automated that capability to tune your IPS, based on fingerprinted devices , operating systems, and applications normally used on your network," explained Wright. "For example, if you're not running Linux servers, there's no reason to alert on Linux exploits. Automation has become key to reduce the workload of managing IPS."

To illustrate, Piper described how a particular threat might be handled. "We start with intelligent correlation to the target: Is the attack actually going to be impactful on its target? Next, we apply intelligent anomaly detection, using network behavior analysis to baseline activity and detect anomalies. Finally, we look for application violations: white lists that apply application and user awareness to trigger alerts on activities that violate IT policy, like a user placing a Skype call." With this multi-pronged approach, Sourcefire can offer much more than basic NIPS, improving operational efficiency to reduce TCO.

Bottom Line

Sourcefire is very proud of its heritage and continues to leverage threat intelligence supplied by the Snort community. Sourcefire is also proud of recent NSS Labs test results, in which Sourcefire 3D Appliances detected 98 percent of tested attacks and covered 98 percent of CVEs (2004-2010). With purpose-built appliances, scalable management, and modules like RNA and RUA, Sourcefire is working hard to add value to its commercial portfolio, turning a popular open source foundation into a more comprehensive, automated security system focused on business risks and needs.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.